One of the challenges of hosting your own site and using WordPress is security. As WP has gotten more and more popular, it has become a huge target for hackers of all sorts. I’ve had my own fair share of old installations getting hacked and causing problems for live sites, rogue files, brute force login attempts that create a denial of service, DOS attacks against XMLRPC, and so on over the years.
Recently, I came across a mention of a security plugin called Wordfence and decided to try it out. It scans your install for any changes made to the WordPress core, theme and plugin files by comparing them to the original from the WordPress codex. Sure enough, for the couple of placers where I had made some customizations, it noted those as changed files and warned me about them. It then let me mark those as safe to ignore, provided they don’t change again, which is nice. I’m always nervous when a security app allows the user to set it to ignore a file, and then that’s the file that gets corrupted, and it continues to ignore it. It even warned me about a corrupt file that I had missed about 8 folders deep when I was cleaning up that infection last year, so that’s also nice!
Eventually though, I got everything cleaned up and verified with one more scan!
comments, Plugin, Security, Wordpress
I was doing a little light reading last night, about the latest scourge of iCloud attacks, wherein a hacker gets access to your iCloud account, and using the Find my iPhone service, puts your device in “lost mode” and sets up a PIN to lock you out of your own device until you pay the ransom.
It’s brilliant in it’s simplicity, gaining access to a cloud service that is used to protect your data, and using it’s own tools against you.
As I continued reading about the theories about how the hacker was gaining access to the iCloud accounts, and ways to protect yourself from this kind of attack, this bit jumped out at me. I almost spilled my drink.
iPhones and iPads that have a PIN don’t present the attacker with the ability to set their own. That screen earlier on where I remotely locked the device is only presented when it doesn’t already have a PIN so that immediately thwarts this attack. Even if the device is just for the kids, if you connect it to iCloud, put a PIN on it (don’t worry about it making life hard for them, kids have an uncanny ability to access a device protected by nothing more than four numbers).
What the hell people? Ask anyone about losing their phone and they’ll likely tell you about how awful that would be, how it has “their whole life on there”, but they still walk around without even the simplest of security turned on? Really, is the 2 seconds it takes to enter a PIN too much effort? C’mon we have to be better than that. If you don’t have a PIN on your iPhone or iPad please go check out how to enable one. The next time you leave your device somewhere, or set it down in a crowded room/bar/restaurant/etc. you’ll be glad for that meager bit of protection from prying finger tips.Tags: iPad, iPhone, Security